CVE-2025-13642

Name of the Vulnerable Software and Affected Versions ProfilePress versions through 4.16.7

Description The ProfilePress plugin for WordPress is susceptible to arbitrary shortcode execution due to inadequate input sanitization of the type parameter within the form preview functionality. This allows authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes through the pp preview form API endpoint.

Recommendations Update ProfilePress to a version newer than 4.16.7.